[jboss-jira] [JBoss JIRA] (AS7-3415) security-constraint/user-data-constraint/transport-guarantee in web.xml file doesn't override setting from servlet @ServletSecurity transportGuarantee parameter

Tuesday, 24 January 2012

    [
https://issues.jboss.org/browse/AS7-3415?page=com.atlassian.jira.plugin.s...
] 

Peter Skopek commented on AS7-3415:
-----------------------------------

I have added one commit to the pull request above. 
Security constraint url-pattern in web.xml contains /tg_mixed_override/* and servlet is
mapped on /tg_mixed_override/srv/*
Test is failing because access on non confidential transport is possible and IMO it should
not be.
The truth is that if one changes security constraint url-pattern to
/tg_mixed_override/srv/* test passes.

I cannot see any part of spec. which say that in case of static constraint is used
constraint from web.xml has to be exact match.

The same case works for test set up with non-annotated servlet and web.xml DD.

...
 security-constraint/user-data-constraint/transport-guarantee in
web.xml file doesn't override setting from servlet @ServletSecurity transportGuarantee
parameter

----------------------------------------------------------------------------------------------------------------------------------------------------------------

                 Key: AS7-3415
                 URL: https://issues.jboss.org/browse/AS7-3415
             Project: Application Server 7
          Issue Type: Bug
          Components: Web
    Affects Versions: 7.1.0.CR1b
            Reporter: Peter Skopek
            Assignee: Remy Maucherat

 security-constraint/user-data-constraint/transport-guarantee in web.xml file doesn't
override setting from servlet @ServletSecurity transportGuarantee parameter
 {noformat}
 My settings:
 @ServletSecurity(@HttpConstraint(rolesAllowed = { "gooduser" },
transportGuarantee = TransportGuarantee.CONFIDENTIAL) )
 web.xml excerpt:
     <security-constraint>
         <web-resource-collection>
             <web-resource-name>sec</web-resource-name>
             <url-pattern>/tgmixed/*</url-pattern>
             <http-method>GET</http-method>
             <http-method>POST</http-method>
         </web-resource-collection>
         <auth-constraint>
             <role-name>gooduser</role-name>
         </auth-constraint>
         <user-data-constraint>
             <transport-guarantee>NONE</transport-guarantee>
         </user-data-constraint>
     </security-constraint>
 {noformat} 
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

[jboss-jira] [JBoss JIRA] (AS7-3415) security-constraint/user-data-constraint/transport-guarantee in web.xml file doesn't override setting from servlet @ServletSecurity transportGuarantee parameter